[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Jonathan Hunter
jmhunter1 at gmail.com
Wed Nov 22 00:07:27 UTC 2023
Hi Andrew
On Fri, 10 Nov 2023 at 15:50, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
> 0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c is the first bad commit
> commit 0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c
> CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on
> SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / L
> DAP_MATCHING_RULE_IN_CHAIN
>
> I've created a bug for this in bugzilla, hope that's helpful:
> https://bugzilla.samba.org/show_bug.cgi?id=15515
Is there anything I can do to help with this?
Looking through git changes, I found this commit with the same commit
message as returned by my 'git bisect' (I am not sure why the commit
IDs are different to the output of my 'git bisect'?), that looks like
a very simple change:
https://gitlab.com/samba-team/samba/-/commit/dfe7b05730425e9f1b0616bb7757dbf77bae6cd2
(if the view I get from gitlab is correct, it's a one-line change to
lib/ldb-samba/ldb_matching_rules.c )
I checked out revision samba-4.19.2 and reverted just this one line
change, and can confirm that my LDAP query works correctly again in
that scenario.
I'm sure the fix isn't as simple as "revert the change", as it was
added for a reason - but it seems to have led to a regression for me
and has broken my LDAP searches that use LDAP_MATCHING_RULE_IN_CHAIN.
Is there any sensible route I can help move this forward?
Thanks!
Jonathan
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
More information about the samba
mailing list